# Docker

## Guia Rápido

Aqui estão os top 3 cuidados ao criar seu container:

### 1. Não execute seu container como Root

Defina um usuário para a execução do seu programa.

```docker
FROM alpine:3.12
RUN groupadd -r myuser && useradd -r -g myuser myuser
<HERE DO WHAT YOU HAVE TO DO AS A ROOT USER LIKE INSTALLING PACKAGES ETC.>
USER myuser
```

Você também pode optar por executar o container no modo [rootless](https://docs.docker.com/engine/security/rootless/).

### 2. Escolha uma imagem oficial e use com a tag específica

Estamos (mal)acostumados a usar o bom e velho `myimage:latest`, porém podemos ter algumas surpresas desagradáveis caso alguma destas imagens seja atualizada e quebre nosso código.

Então utilize apenas imagens oficiais com a tag bem definida:

```docker
# 🚫 
FROM alpine
 
# ✅
FROM alpine:3.12
```

### 3. Execute um scan de vulnerabilidades

Sempre que for realizar o build de sua imagem, execute um scan para verificar se não existem vulnerabilidades preocupantes nele (foco principal nas **HIGH** e **CRITICAL**).

Uma das opções é utilizar o [Trivy](https://aquasecurity.github.io/trivy/v0.32/getting-started/quickstart/).

{% embed url="<https://user-images.githubusercontent.com/1161307/171013513-95f18734-233d-45d3-aaf5-d6aec687db0e.mov>" %}

## Links Úteis

### Artigos

* [Oficial - Docker security](https://docs.docker.com/engine/security/)
* [OWASP - Docker Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
* [Aqua - Top 20 Docker Security Best Practices: Ultimate Guide](https://blog.aquasec.com/docker-security-best-practices)
* [Snyk - 10 best practices to build a Java container with Docker](https://snyk.io/blog/best-practices-to-build-java-containers-with-docker)
* [ReynardSec - Docker Security – Step-by-Step Hardening (Docker Hardening)](https://reynardsec.com/en/docker-platform-security-step-by-step-hardening/)

### Vídeos

* [HackerSploit - Docker Security Essentials | How To Secure Docker Containers](https://www.youtube.com/watch?v=KINjI1tlo2w)
* [TechWorld with Nana - Top 8 Docker Best Practices for using Docker in Production](https://www.youtube.com/watch?v=8vXoMqWgbQQ)

### Labs / Tutoriais / Cursos

* [TryHackMe - DEEPCE](https://tryhackme.com/room/deepce) (precisa estar logado no THM)
* [Play With Docker](https://www.docker.com/play-with-docker/): tutoriais, labs hands-on e treinamentos para aprender docker.
* [FreeCodeCamp :: Docker Containers and Kubernetes Fundamentals – Full Hands-On Course](https://www.youtube.com/watch?v=kTp5xUtcalw)

### Tools

* [DEEPCE - Docker Enumeration, Escalation of Privileges and Container Escapes](https://github.com/stealthcopter/deepce)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ben-hurs-organization.gitbook.io/guia-de-appsec/cheat-sheets/docker.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.